What's the difference between GDPR and the Data Protection Act 2018?

When trying to work out what to do about ‘data protection’ compliance, small businesses may be wondering why there is a new Data Protection Act 2018 when we were told that the EU’s GDPR is directly effective in UK law. The simple answer is that they are complimentary and we need both of them (even without the complications of Brexit...).
It is correct that the GDPR (EU General Data Protection Regulation) has been directly applicable law in the UK since 25th May 2018. Most of the detailed legal provisions that all businesses must comply with are set out in the GDPR itself (which is a change from the previous data protection regime where the EU ‘Data Protection Directive’ was not directly applicable and was implemented in the UK by the Data Protection Act 1998). However, the GDPR does not cover everything that is needed to have a workable data protection regime so each EU country still has some of its own legislation to fill the gaps - that is where the new Data Protection Act (DPA) 2018 comes in.
In fact, the DPA 2018 performs three main functions:

It fills in the gaps that have (intentionally) been left in GDPR to give each member state some leeway in implementation. The GDPR gives member states limited opportunities to make provision for how it applies in their country and the DPA 2018 fills those gaps for the UK – for example how to define ‘public authorities’.

It extends and clarifies how data protection laws apply to certain broad areas that are excluded from GDPR and are left to each member state, such as immigration, intelligence and law enforcement.

It sets out the detailed provisions needed for the funding and functioning of the UK’s data protection regulator - the Information Commissioner’s Office (ICO). For example, it covers the ICO’s duties, functions and powers, plus the enforcement provisions.

It also deals with some administrative points, such as repealing the old Data Protection Act 1998 and making changes needed to deal with the interaction with related legislation such as the Freedom of Information Act.
The DPA therefore sits alongside the GDPR. When considering your data protection duties, both the GDPR and the new DPA will have to be consulted. And to make sense of it all, the various bits of guidance from the ICO will be a more useful source of information than reading the legislation!
Astrid draws on GDPR, DPA and the ICO guidance to provide a step by step guide for small businesses, as well as templates and tools to make compliance less confusing and easy to demonstrate to customers and regulators. Find out more here.